3773-9-03
Procedures for accessing personal information.

(A)
Personal
information systems of the commission are managed on a "need-to-know" basis
whereby the information owner determines the level of access required for an
employee of the commission to fulfill his or her job duties. The determination
of access to confidential personal information shall be approved by the
employee's supervisor and the information owner prior to providing the employee
with access to confidential personal information within a personal information
system. The commission shall establish procedures for determining a revision to
an employee's access to confidential personal information upon a change to that
employee's job duties including, but not limited to, transfer or termination.
Whenever an employee's job duties no longer require access to confidential
personal information in a personal information system, the employee's access to
confidential personal information shall be removed.

(B)
Upon the signed
written request of any individual for a list of confidential personal
information about the individual maintained by the commission, the commission
shall do all of the following:

(1)
Verify the identity of the individual by a method that
provides safeguards commensurate with the risk associated with the confidential
personal information;

(2)
Provide to the individual the list of confidential
personal information that does not relate to an investigation about the
individual or is otherwise not excluded from the scope of Chapter 1347. of the
Revised Code; and

(3)
If all information relates to an investigation about
that individual, inform the individual that the commission has no confidential
personal information about the individual that is responsive to the
individual's request.

(C)
Upon discovery
or notification that confidential personal information of a person has been
accessed by an employee for an invalid reason, the commission shall notify the
person whose information was invalidly accessed as soon as practical and to the
extent known at the time. However, the commission shall delay notification for
a period of time necessary to ensure that the notification would neither delay
or impede an investigation of the circumstances and involvement of an employee
surrounding the invalid access, nor jeopardize homeland or national security.
Additionally, the commission may delay the notification consistent with any
measures necessary to determine the scope of the invalid access, including
which individuals' confidential personal information invalidly was accessed,
and to restore the reasonable integrity of the system. Once the commission
determines that notification would not delay or impede an investigation, the
commission shall disclose the access to confidential personal information made
for an invalid reason to the person. Notification provided by the commission
shall inform the person of the type of confidential personal information
accessed and the date(s) of the invalid access, and may be made by any method
reasonably designed to accurately inform the person of the invalid access,
including written, electronic, or telephone notice.

(D)
The executive
director shall designate an employee of the commission to serve as the data
privacy point of contact. The data privacy point of contact shall work with the
chief privacy officer within the office of information technology to assist the
commission with both the implementation of privacy protections for the
confidential personal information that the commission maintains and compliance
with section 1347.15 of the Revised Code and
the rules adopted pursuant to the authority provided by that chapter.

(E)
The
executive director shall designate an employee of the commission to serve as
the data privacy point of contact who shall timely complete the privacy impact
assessment form developed by the office of information technology.